Children's Privacy Policy: COPPA Compliance Guide

COPPA — the Children's Online Privacy Protection Act — is a US federal law that imposes strict requirements on any website, app, or online service that collects personal information from children under 13. If your site or app is directed at children, or if you have actual knowledge that a user is under 13, you must obtain verifiable parental consent before collecting any personal data, post a clear and comprehensive children's privacy policy, minimize the data you collect to only what is necessary, and give parents the ability to review and delete their child's information. COPPA is enforced by the Federal Trade Commission (FTC), which has imposed fines reaching hundreds of millions of dollars against companies that fail to comply. The law applies to operators based anywhere in the world, as long as children in the United States are affected. This guide explains exactly what COPPA requires, how to implement age verification and parental consent, and how to write a compliant children's privacy policy.

Who Must Comply with COPPA

COPPA applies in two scenarios. First, it applies to websites and apps that are "directed to children" — meaning the site's content, visual design, characters, activities, or advertising are designed to appeal to children under 13. The FTC looks at several factors to determine this, including the subject matter, the age of models or characters, the use of animated characters or child-oriented features, music and language, and whether advertising on the site is directed at children.

Second, COPPA applies to general-audience websites and apps that have "actual knowledge" they are collecting data from a child under 13. This means if a user enters a birth date showing they are 11 years old, or states their age in a profile or chat message, the operator now has actual knowledge and must comply with COPPA for that user. Simply adding a terms-of-service clause saying "users must be 13 or older" does not relieve you of COPPA obligations if you actually know a user is underage.

Third-party services that collect data on child-directed sites also have COPPA obligations. If your child-directed site uses Google Analytics, advertising SDKs, or social media plugins, those services must either comply with COPPA or you must configure them not to collect personal data from children. Google, for example, offers a "child-directed treatment" setting for Analytics and AdSense that disables personalized advertising and limits data collection.

What COPPA Requires in Your Privacy Policy

COPPA mandates a specific set of disclosures in your privacy policy, and the FTC has detailed rules about what must be included. Your policy must clearly state: the name, address, phone number, and email address of the operator (and any third parties collecting personal information through the site); the types of personal information collected from children (name, email, phone, address, screen name, photos, geolocation, persistent identifiers like cookies); how the information is collected (directly from the child, passively through cookies, through third-party services); how the information is used; whether it is disclosed to third parties and for what purposes; and that a parent can refuse to permit further collection and request deletion of data already collected.

The privacy policy must be clearly written and easy for parents to understand — legal jargon is not appropriate. The FTC recommends using plain language and organizing the policy with clear headings. For child-directed sites, a link to the privacy policy must be prominently placed on the homepage and at every point where personal information is collected from children.

Age Verification and Parental Consent

Before collecting personal information from a child under 13, you must implement an age-screening mechanism and obtain verifiable parental consent. Age screening typically involves asking the user to enter their birth date (not just clicking "I am over 13") before any data collection begins. If the age screen reveals the user is under 13, you must either block data collection entirely or trigger the parental consent process.

The FTC recognizes several methods for verifiable parental consent. The most common are: requiring a parent to provide a credit card number for a transaction (a charge of any amount), having a parent sign a consent form and return it by email, mail, or fax, or having a parent call a toll-free number. For internal use only (where data is not shared publicly or with third parties), the FTC allows a less rigorous "email plus" method — sending an email to the parent, waiting a reasonable period, then sending a follow-up confirmation email.

The FTC has explicitly stated that simply having a child check a box claiming parental consent, or having a parent reply to an email with no additional verification, is not sufficient. The consent method must provide a reasonable level of assurance that the person giving consent is actually the child's parent or guardian.

Data Minimization and Retention

COPPA enforces a data minimization principle: you may not collect more personal information from a child than is reasonably necessary for the child to participate in the activity. If a child wants to play a game on your site, you cannot require them to provide their full name, address, and phone number — you may only collect what the game actually needs to function.

You must also limit how long you retain children's data. COPPA requires that you retain personal information only as long as necessary to fulfill the purpose for which it was collected. Once that purpose is served, you must delete the data using reasonable measures to protect against unauthorized access during the deletion process. Your privacy policy must describe your data retention practices for children's information.

The FTC has also clarified that persistent identifiers (like cookies, device IDs, and IP addresses) count as personal information under COPPA when they are used to track a child across websites or over time. This means that advertising cookies and analytics tracking that creates a behavioral profile of a child user are subject to COPPA's consent requirements. Many child-directed sites choose to disable all third-party cookies and use only essential, first-party cookies to avoid this issue.

FTC Enforcement and Penalties

The FTC actively enforces COPPA and has brought dozens of enforcement actions against companies of all sizes. Penalties can be severe — the FTC can impose civil penalties of over $50,000 per violation, and each piece of improperly collected data can constitute a separate violation. In practice, settlements with the FTC have ranged from tens of thousands of dollars for small companies to hundreds of millions for major platforms.

Notable enforcement actions include cases against major technology companies for collecting children's data without parental consent, against app developers who embedded advertising SDKs that tracked children, and against websites that used persistent identifiers to build behavioral profiles of underage users. The FTC has also taken action against companies that failed to honor parents' deletion requests or that continued collecting data after consent was withdrawn.

To reduce your enforcement risk, conduct regular audits of your data collection practices, ensure your privacy policy accurately reflects your current practices, implement robust age-gating mechanisms, maintain records of parental consent, and train your team on COPPA requirements. If you use third-party services, verify that each one is configured for COPPA compliance and that your contracts with those services include COPPA obligations.